Security Bits logo - a green padlock with the words Security Bits to the right and in tiny letters below ithat it says 10101010 indicating a digital lock

Security Bits — 11 June 2023

Deep Dive — Security & Privacy Highlights from WWDC

As with most things WWDC, this is a glimpse of the future rather than new tools we get to use today, but I think it’s still worth taking a little time to look at some of the security and privacy enhancements Apple announced.

  • Apple’s current Communications Safety opt-in parental control (uses on-device AI to detect nudes on children’s iPhones and blurs them with a child-friendly warning, allowing them to choose whether or not to view the image) is evolving into a global feature for all iOS users named Sensitive Content…
    • App processing still on-device
    • Still opt-in
    • Will support more apps than just messages, including AirDrop
    • An API is being made available to developers to add support into their 3rd part apps
  • Safari is getting some nice enhancements across the various platforms —… &…
    • Profiles will allow you to use the same browser to log in to the same site with multiple accounts at the same time — each profile effectively behaves like an independent browser. If you use a dedicated profile for social media, then none of those cookies get to follow what you do on the rest of the internet 😀
    • Even within a persona, Safari will pro-actively strip tracking tokens from URLs whenever possible
    • You’ll have the option to require biometrics to unlock private browsing windows/tabs
    • You’ll be able to set different search engines for private and regular browsing (maybe you can tolerate Duck Duck Go for private browsing even if you can’t do without Google day-to-day)
    • Websites can be turned into stand-alone apps with support for push notifications etc. This is useful if you like cmd+tabbing to web apps, but it has a security bonus too, these apps live in isolated cookie universes, so if you must use social media sites, this is another safer way of doing it
  • Check In provides a more targeted solution to getting home safely than simple location sharing — the person leaving tells Maps where they are on their way to, and who to alert if they get way-laid en route. The person being checked in with will only get notified if the traveler stops making progress towards their destination, and they’ll get additional useful metadata like cell reception and battery level the last time iCloud saw the traveler, as well as the time and location of the last sighting.
  • iCloud KeyChain will be able to share passwords and passkeys with groups —…
  • AirTags will also be sharable within groups —…
  • In iOS 17, security codes sent by email will get the same auto-fill convenience codes sent by SMS do today —…
    • There’s also a related feature to auto-delete codes from both Mail and Messages when they’ve been auto-filled to stop then cluttering your inboxes
  • Developers have been given new tools to make it easier to add accurate privacy nutrition labels to their app store listings —…


❗ Action Alerts

  • Google Chrome, Microsoft Edge, Brave, and Vivaldi users need to be sure their browsers are fully patched – a nasty zero-day bug is being actively exploited in the wild! —…
    • In theory, the bug exists in all Electron apps too, so be sure to patch all your network-connected apps in case they use Electron —…
  • If you can, and you haven’t yet, now is the time to update to iOS 16 – Kaspersky have found a zero-click remote code execution vulnerability (as bad as it gets) in the latest version of iOS 15. Apple will probably patch it soon, but it’s not patched yet, and it doesn’t exist in iOS 16 —…
    • This may be the kernel of truth behind the unsupported and incredible (in the literal sense of not being believable) claim by the Russian government that Apple is working with the CIA to hack them —…
  • Owners of PCs with Gigabyte motherboards need to be sure their firmware and drivers are patched ASAP — many of the boards were found to be installing insecurely downloaded software into the Windows OS at boot time, making the machines vulnerable to remote takeover by rootkits —…
  • If you use KeyPass on Windows, be sure it’s up to date, they patched a memory management bug that failed to clean the master password from RAM properly, making it theoretically accessible by other local processes —…
    • An excellent explainer of the mistake the KeyPass developers made, and why calling the right API function on each OS is important —…
  • If you use iTunes on Windows, be sure it’s patched, Apple have fixed a privilege escalation vulnerability —…

Notable News

  • 🇺🇸 Amazon have settled with the US Federal Trade Commission for $5.8M to end the investigation into privacy violations at Ring —… (Until mid-2017 staff & contractors had unrestricted access to customer videos, and abused that access)

Palate Cleansers


When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top